Letsencrypt finally figured out (meh)

leOne afternoon i was bored on a bank holiday and decided to go figure out letsencrypt of which my previous attempt left much to be desired (my blog).

The domain was using self signed certs for email and i had no www, and being slightly drunk certainly made it a game of it after all this has got to work somehow.

This is from debian backports, i guess i might end compiling everything if compiled from source. Since i use debian lets try and keep it the debian way.

I had to do some www config work, listening on 80 and 443 in apache, i also did some dns redirect diversions a day earlier

gets worse

gets worse

Nit pick – the man page for certbot really sucks in formatting you have to be in FULL SCREEN mode or other the formatting is shit. I smell a gnome developer.

With my config i then experimented until i hit the right command to use with apache since i have a host that does more than just one website which is where crappy website hosting will assume that you only have only one.

I used

certbot certonly –webroot -w /var/www/<host>/ -d <host>

Which picked up the config rather than assume i have only one ip address.

Anyhow i eventually got a working certificate (nice not to get a useless www. is a plus point) after some apache config work and restarts but guessing where the certs where was the next issue – a google discovered the /etc/letsencrypt/live/<host>/*.pem was the ticket.  Never trusted or knew about the automatic apache config mode of which i have no idea if that is for the 2.2 or 2.4 release.

Reconfiguring apache could be big job for me if it fucks up as we host more than one website here in the zoo on one computer.   I really do not trust certbot to configure things and i like to know how it works rather than some stuff i did not set up.

For dane (my blog)  i had to hash the cert.pem – i only really want it for that not apache, why i cant use email to approve this shit like paid certs do is beyond me, if they want a apache config i am willing to oblige it but this is me pushing the average user envelope.

Most people probably reading this probably cannot use tls in email – say gandi clients, or have dkim signed mail unless you buy a high end xen instance and configure it yourself.  tls encryption was a no in the cheapest gandi* offering when i looked.

Letsencrypt works in postfix too once you set cert,ca chain,and private key,  tlsa hashing was successful too a benefit of doing the apache ssl config.

These certs only last three months and so expect a lot of crap in /var./log/lersencrypt from python dumps which is easier said to trackdown what generates them even with cron jobs turned off although the renewal directory files appears to be adjusted by what i have no idea on.

I have now got to write a index html page and a404 explaining the reason for this bizarre oddity.  It’s a make work scheme although it will work the default index.html we all know and love..

Then your renewal – you have to setup a cron entry, in three months time i then have to hash cert.pem once again and change to dns records.

The cron scheduling may or may not be available with basic or average hosting.

I suppose it is better than self signed.

babymemeThis i suppose it not how your average website would usually get an tls cert but the monkey house is not constrained like you lot with one ip address, a virgin domain name and a strange version of dns,email and hosting.

Works here though setting hsts (my blog)  to three months is deemed ‘bad’ by some.

*gandi is a hosting firm not an indian

Game issues with 32 and 64 bit versions in debian testing

portal2My steam games mostly do not work (my blog) and when i tried a long term beta game (not steam)  it had no sound in and poor resolution in 64 bit and crashed before loading, in 32 bit the game ran but crashed in game.

I deleted my steam client but some fun with the demo of life is strange (which never worked) meant i had to su it and delete weird steam crap

/home/bananas/.steam/steam/steamapps/common/Life Is Strange/bin# ls
fontconfig  ??!I@?  ??Q?rA????-???Q?*?P ???20????0???  ???(0?-1???? ?0@??@??!?

Somebody at steam still loves microsoft

Dead letter abuse boxes (or an end to dmarc probers)

boredOne day they just stopped and since most of them are in China*  its been boring on the dmarc (my blog) front ever since.

However since reporting abuse to china does not work except for ‘special’ people it can be said that many Chinese isps colluded.  Any american reading this should comprehend that china is not russia

Of other countries Vietnam has one attempt, the us a couple so either there spoofing somebody without dmarc which is something i would have done months ago or the thing that controlled it is down rather the look an idiot to the once a day like China did.

I still have the data and can firewall it in seconds, the dmarc records still exist and are permanent and so I will only now report on the latest attempts and correlate with previous behaviour.

Latterly I have also caught amazon (yes the big retailer)  trying 24 attempts in one day via ec2 (my blog) – so maybe this year will be the year that the us wins the gold medal in dmarc probes over china with quantity from single hosts.

I am sure you are all looking forward to these posts.  Exciting stuff

*both HK and mainland.

Women and the leaky tap

hosepipeOver christmas the monkey house had guests for the day, they naturally got a tour of everything being first time visitors by the older lady apes. One room has a leaky tap and the plug holes where down this met with much disapproval for some strange reason.

Noisy sods it is not like there plumbers

the return,Hisham Matar

Milliband s come with rent boys - On your side ?


isbn: 9780670943335 is a real life tale but an author who i have read before (my blog)  David Milliband comes across as shifty (my blog) and untrustworthy as now head of a refuge charity organisation  but as a tale of Libya and it’s tribulations it is well worth reading as to what could be going on since the msm dont really cover it.

5/5 bananas – an economist ick of 2016 too

giving up on the mysteries of hpkp

Sisyphus is still a role model

Sisyphus is still a role model

I have written about hpkp (my blog) before but find it lacking in useable documentation, quite how you specify a backup cert in say apache i leave as a question to guru’s, buying a cert to not use it seems strange, and how that would affect caa records if say from another supplier is a  mystery it seems i will not bother to figure out for it is bollocks to common sense.  Could one be deemed a fake cert issue that gets the ca removed from say firefox is a problem i foresee if hpkp takes off.

I suppose it could be done but then if the hostname does not match your still going to get grief from firefox about host mismatch problems, forget self signing ssl.  Add the cost of ev certs in too, or the problem a cert with multiple addresses then you still have no backup hpkp.

I think hpkp is a retarded mans dnssec (which the zoo has) but hpkp  still has a cost with the backup certificate which i guess makes the ssl mafia happy financially and who cares if it gets used or not.  they do not.

As i am no hpkp guru, or feel the need to become one and ask the question why is it only for webservers say but not email too,other ports can be utilised too but you get my gripe.

So  i have commented it out of the apache config for if i cannot figure it out then i doubt many others can use it either.

Anyhow not my problem.


class – or self aware bbc diversity

British version of high school grange hill.

British version of high school grange hill.

Class is a tween dr who thing online at the bbc since it is not apparently childrens tv (my blog)  or good enough for broadcasting on the bbc.  Go figure.

It reeks of self awareness a script writing test is mentioned within minutes, and has a quota (my blog)  of multicultural types, did i mention media studies ?.

Villains look video game-ish and the kids brood like chickens on heat.  Of what i saw (fast forwarded mode) one villain a week is either stalemated or dispatched (that’s the first two episodes).

Logically there is a flaw to the location that the continuity or dr who legends  that really you should not think about but i did.

Either this is thought of  as the next generation thing but for kids tv rather than mainstream broadcasting not for export or a project failure since bbc three is no longer an attractive thing for talent since its not on tv.

With america featuring in the christmas special of dr who and with a sjw theme it seems to be at odds with snobby bbc management while america might like it the uk side is going childrens tv version.

I wont rate either.

A windows 10 tale of woe and despair including British India

A pissed off zebra

A pissed off zebra

As a last resort the giraffe enclosure here in the zoo sent a message via the bush telegraph to us apes for fix there computer. A microfilter was handed over by us in the monkey house and an hour later i happened to be near so I popped into the giraffe enclosure – bananas is brave like that.

I was presented with a crap NEW hp laptop ruining windows ten which did not ‘work’. God i hate windows 10 and any microsoft (microshit) products.  How the fuck somebody thought that was a great os at ms must have been smoking something amazing

Anyhow …

Email was the main problem, and that was it appears to be a microsoft induced version of hell as a email client, and synchronising stuff took forever thanks to British Telecom but that i think is down to a slow computer as our linux stuff seemed ok.

I was not the first on the scene – family where, a helpful library idiot and british telecom had been and failed to sort things out or change any settings.

But the internet connection was embarrassingly slow and no speed test websites rendered in internet explorer, much to my embarrassment.  The hub gave out an rfc1918 c address

The adverts where horrible.

If i worked for BT i would be ashamed of the service they provided. any view of HP being not negative too is bizarre.

Sisyphus is still a role model

Sisyphus is still a role model

However i turned off a few things, got some email that Microsoft had lost back and got printer queue clear.  Which is more than you say for Family,Library or corporate ‘help’.

I suppose it does work but not something i could recommend.  But the money upgrades must be a plus piont for the corporates soon.

If that is the average persons internet experience then both HP and BT plc hate the internet as a thing.

If your an advertiser and wonder why people block adverts then buy windows 10 and run it on a bt broadband connection your soon come to a conclusion.

j-drama and anime updates

cotoJ-dramas  still missing so i went searching and found a new site with some and i have yet to find anything good, there was a dr coto (my blog) clone which was referred to but done for laughs so nothing sensational so far.

If you do like horrific drama there is one about a brain surgeon transported back to Japanese feudal times and yes it involves a chisel and hammers.

I did watch an tourist thing about fukisimha province which was a bit chessy but dispelled a few myths by the anti nuclear lobby.

flywitchIn anime i can recommend March comes in like a lion although its quality varies depending upon characters perspective.  Flying Witch was a late end to the year watch and is a gentle and fun watch – i have a nitpick question about it though.

Speaking of places Burkina Faso (my blog)  is mentioned – made me laugh.

blades-of-gloryOne anime caught a lot of attention from its sport but i will blog of that in 2018 which i did not see.

Of seen of …

Psycho pass (my blog) has a new season and has moved from its original location.  It is going over the same issues but i wondering about the odd logic of using a latin alphabet in country which speaks Japanese and is isolated from the rest of the world but that’s me nit picking.